Implement zero-knowledge proofs

Question

Implement zero-knowledge proofs

Opened this issue 5 years ago · 1 comments

Answer 1 · 2019-06-29T23:23:57.000Z

Based on the Shuffle-Sum paper, I think we need to do two types of zero-knowledge proofs:

Proof of correct decryption
Proof of correct shuffling

Luckily, the Damgard-Jurik cryptosystem has range proofs that can help with the first point: https://www.brics.dk/DS/03/9/BRICS-DS-03-9.pdf (Section 4.3.4).

The shuffling proofs might be more complex. One description is here: http://www0.cs.ucl.ac.uk/staff/J.Groth/MinimalShuffle.pdf. It's not specific to Damgard-Jurik crypto, but it seems to work for general homomorphic encryption schemes.

I'll keep looking into this to see how difficult it would be to implement these proofs.